Prefetch Parser

Parse Windows Prefetch (.pf) files entirely in your browser. Drop the whole Prefetch folder — nothing is uploaded, parsing runs locally in WebAssembly.

Drop .pf files or a whole Prefetch folder here

100% client-side. Files are read in memory and never sent to a server.

No results yet — drop a .pf file or a Prefetch folder to begin.

What is Windows Prefetch?

Windows Prefetch (.pf) is a per-executable cache that Windows writes to C:\Windows\Prefetch\ every time a program is launched. Each file records what the program touched on its first run — the libraries it loaded, the volume it ran from, and how often it has been executed. For digital forensics, prefetch is one of the most reliable execution artifacts available: a program does not need to be installed or still present on disk to leave a .pf entry behind.

What each .pf file records

  • Executable name and prefetch hash (derived from the launch path)
  • SCCA version: 17 (XP/Vista/7), 23 (Win8), 26 (Win8.1), 30 (Win10), 31 (Win11)
  • Run count — how many times the program has been executed
  • Up to 8 last-run timestamps in UTC (Win8.1+)
  • Volume info: device path, NTFS serial number, creation time
  • Every DLL, configuration file, and resource the program loaded during prefetch capture

How to parse a Prefetch folder

Drop a .pf file or the whole C:\Windows\Prefetch\ folder on this page. The parser runs entirely in your browser:

  1. Files are read into memory locally — nothing is uploaded.
  2. A Rust prefetch decoder compiled to WebAssembly decompresses and parses each file inside a Web Worker.
  3. Results render as a sortable, searchable table. Click any row to see all run times, volumes, and referenced files.
  4. Export everything as JSON for downstream tooling.

Frequently asked questions

Where does Windows store prefetch files?

C:\Windows\Prefetch\ — typically several hundred .pf files on any active workstation. The folder is restricted but readable by administrators. Prefetch is enabled by default on workstation editions of Windows; on Windows Server it is often disabled.

How is the 8-character prefetch hash calculated?

The hash at the end of each filename (NAME-XXXXXXXX.pf) is derived from the full executable path as a UTF-16 string. Two copies of the same binary launched from different directories produce two different .pf files. The algorithm changed between Windows XP/Vista and Windows 7+ (SuperFetch hash).

Why are Windows 8+ prefetch files compressed?

From Windows 8 onward, the OS compresses prefetch files with the Xpress Huffman algorithm and prefixes them with the MAM\u00104 signature. This parser decompresses them transparently — you don't need to pre-process anything before dropping the folder.

Are prefetch files reliable evidence of execution?

Yes — Windows only writes a .pf file after the executable actually runs. However, run counts and timestamps can be tampered with (e.g., by deleting prefetch files), and a missing entry does not prove a program never ran if .pf files were wiped post-execution. Combine with Amcache, ShimCache, and event-log data for corroboration.

Is anything uploaded to a server?

No. The parser compiles a pure-Rust prefetch decoder (frnsc-prefetch) to WebAssembly and runs it inside a Web Worker in your browser. Bytes never leave your machine. There is no backend, no telemetry on file contents, and no upload.

What versions of Windows are supported?

All SCCA versions from Windows XP through Windows 11: v17 (XP/Vista/7, uncompressed), v23 (Win8), v26 (Win8.1), v30 (Win10), and v31 (Win11). Both compressed and uncompressed prefetch files are detected automatically.